05/14/2008

Another day, another DSA..

Debian has published Security Advisories for two consecutive days, trying to get a grip on what looks like a massive security hole in their SSH and SSL offerings. I spent 4 hours yesterday and another one this morning going through all the systems locking things down.

Details are still surfacing, but this time it seems they outdone themselves, making the key space apparently very, very small (we're talking '5 minute brute force' small). There are some bits of info on http://wiki.debian.org/SSLkeys

http://metasploit.com/users/hdm/tools/debian-openssl/ best analysis so far. The key space is indeed tiny .. debian sshd checks and denies the most common keys now, but sshd from other distros doesn't, so if you have uploaded weak keys anywhere else those systems remain exposed.

Â A bug in the Debian GNU/Linux distribution's OpenSSL package wasÂ announced today. This bug would allow an attacker to figure out privateÂ keys generated by these buggy versions of the OpenSSL library. Thus,Â all private keys generated by affected versions of OpenSSL must beÂ considered to be compromised.

Â Tor uses OpenSSL, so Tor users and admins need to take action in orderÂ to remain secure in response to this problem.